常见的头缺失或不安全问题:
1、“Content-Security-Policy”头缺失或不安全
2、“X-Content-Type-Options”头缺失或不安全
3、“X-XSS-Protection”头缺失或不安全
4、设置HTTP请求头(X-Frame-Options)
解决方法:
中间件为IIS,网站根目录下找到“web.cofig”文件,没有则新建该文件。复制以下代码,粘贴到web.cofig文件中(新建全部复制,已有复制system.webserver)
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Content-Security-Policy" value="default-src 'self';" />
<add name="X-Content-Type-Options" value="nosniff"/>
<add name="X-XSS-Protection" value="1;mode=block"/>
<add name="X-Frame-Options" value="SAMEORIGIN"/>
</customHeaders>
</httpProtocol>
</system.webServer>
</configuration>
HTML前端解决方法:
<meta http-equiv="Content-Security-Policy" content="default-src 'self'"/>
<meta http-equiv="X-Content-Type-Options" content="nosniff" />
<meta http-equiv="X-XSS-Protection" content="1; mode=block" />
<meta http-equiv="X-Frame-Options" content="SAMEORIGIN">